Shulou(Shulou.com)06/01 Report--

Many corporate websites are attacked by hackers, such as hackers who can use data networks to remotely operate the target's laptops, network servers, and corporate websites as long as they have a data network, so as to arbitrarily read or tamper with the target's important data, or use functional modules on the target system software, such as monitoring the phone's microphone and turning on each other's camera for monitoring. Use the computing power of the invaded device to carry out mining to get the virtual currency, use the network bandwidth capacity of the target device to launch CC concurrent attacks, and so on. Or cracked the password of a database server, went in to view sensitive data information, and remotely operated access control / traffic lights. All of the above are classic hacker intrusion scenarios.

Our SINE security can define the intrusion of corporate websites: hackers operate remotely and use our network resources (including but not limited to reading and writing data, executing commands, remote operation of network resources, etc.) without authorization to achieve various ultimate goals. In theory, hackers carry out database attacks according to the sql statements of the site to inject security vulnerabilities, or get the account password of the target domain name in the service provider, tamper with the DNS server to point to a page made by a hacker, or find the target social mailbox account, log in to the mailbox, and carry out unauthorized remote operations on the virtual assets of the data network, all belong to the category of being hacked.

Site vulnerability scanning for Enterpri

The scope of enterprise website security vulnerability scanning is relatively unified in most cases: it generally refers to the behavior that hackers invade the remote operation of PC computers, operating system software, website servers, remote office platforms (involving OA office network, production network).

The most common way for hackers to invade the remote operation of host assets such as PC and network servers is to use Shell Trojans to execute instructions. the process of obtaining Shell Trojans is called GetShell.

For example, hackers use the image upload security vulnerability of the corporate website to get the WebShell Trojan by changing the name to upload, or use the site RCE security vulnerability to execute remote system commands / code. In addition, the use of other ways to first implant the "Trojan back door" to the website server lurking, followed by the Trojan integrated SHELL function module to carry out remote control of the target, this way is also more typical.

Therefore, corporate website security testing can focus on the use of GetShell, as well as other in-depth malicious attacks after the success of GetShell (in order to increase results, hackers will mostly carry out vulnerability detection, review theft, horizontal mobile attacks and other internal data network targets according to Shell, which is essentially different from whether the hacker is a good person or not can also be used as an important feature).

There are many colleagues in the security industry (involving commercial website security protection products) who like to report a lot of "external scanning, attack detection and attempt behavior" before GetShell, and like to add "situational awareness" to inform enterprises that hackers are "trying to attack mode intrusion testing". In the author's opinion, the actual combat value is not great. Many enterprises involving Meituan takeout, most of which will be attacked by "unknown identity" all the time, know that there are hackers who are "trying" to attack, if they cannot effectively attack successfully, it is impossible to effectively invade the website, in addition to expending effort, it does not have much practical value.

When we are used to the state of "attack mode", we will deal with the problem in that state, what security reinforcement ideas can be used, which operations can be realized on a daily basis, and if there are any ideas that cannot be operated on a daily basis. for example, if many people need to work overtime for temporary emergency response, this idea will probably be gradually cancelled in the near future. There is no essential difference between this idea and whether we do it or not.

For example, site sql statement injection, XSS and many other website attacks that can not be GetShell, temporarily no longer a small range of "vulnerability scanning" to consider, the proposal can be classified as "security vulnerabilities", "threat awareness" and other industries, and then do the discussion. In this case, according to the sql sentence injection, XSS and other channels to carry out the actual operation of GetShell, our main problem is still in the key link of GetShell, do not care about where the security loophole channel is, if many enterprises do not understand the problem on the website security, you can consult the professional website security company, the security company recommends SINESAFE, Eagle Shield Security, Green Alliance, Qiming Star and so on are more professional.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.